The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index.

- Update spec-file to fit the changes in V8 (addition of     internal ICU)

  - Building against system ICU

  - Regenerate Makefiles before using them

  - Update to 3.22.24.8

  - Security fixes (bnc#854473) :

  - CVE-2013-6638: Buffer overflow in v8

  - CVE-2013-6639: Out of bounds write in v8

  - CVE-2013-6640: Out of bounds read in v8

- Update to Chromium 31.0.1650.63 Stable channel update :

  - Security fixes :

  - CVE-2013-6634: Session fixation in sync related to 302     redirects

  - CVE-2013-6635: Use-after-free in editing

  - CVE-2013-6636: Address bar spoofing related to modal     dialogs

  - CVE-2013-6637: Various fixes from internal audits,     fuzzing and other initiatives.

  - CVE-2013-6638: Buffer overflow in v8

  - CVE-2013-6639: Out of bounds write in v8.

  - CVE-2013-6640: Out of bounds read in v8

  - and 12 other security fixes.

  - Remove the build flags to build according to the Chrome     ffmpeg branding and the proprietary codecs. (bnc#847971)

  - Update to Chromium 31.0.1650.57 Stable channel update :

  - Security Fixes :

  - CVE-2013-6632: Multiple memory corruption issues.

  - Update to Chromium 31.0.1650.48 Stable Channel update :

  - Security fixes :

  - CVE-2013-6621: Use after free related to speech input     elements..

  - CVE-2013-6622: Use after free related to media elements. 

  - CVE-2013-6623: Out of bounds read in SVG.

  - CVE-2013-6624: Use after free related to     &ldquo;id&rdquo; attribute strings.

  - CVE-2013-6625: Use after free in DOM ranges.

  - CVE-2013-6626: Address bar spoofing related to     interstitial warnings.

  - CVE-2013-6627: Out of bounds read in HTTP parsing.

  - CVE-2013-6628: Issue with certificates not being checked     during TLS renegotiation.

  - CVE-2013-2931: Various fixes from internal audits,     fuzzing and other initiatives.

  - CVE-2013-6629: Read of uninitialized memory in libjpeg     and libjpeg-turbo.

  - CVE-2013-6630: Read of uninitialized memory in     libjpeg-turbo.

  - CVE-2013-6631: Use after free in libjingle.

  - Added patch chromium-fix-chromedriver-build.diff to fix     the chromedriver build

  - Enable ARM build for Chromium. 

  - Added patches chromium-arm-webrtc-fix.patch,     chromium-fix-arm-icu.patch and     chromium-fix-arm-sysroot.patch to resolve ARM specific     build issues

  - Update to Chromium 30.0.1599.114 Stable Channel update:
    fix build for 32bit systems

  - Drop patch chromium-fix-chromedriver-build.diff. This is     now fixed upstream

  - For openSUSE versions lower than 13.1, build against the     in-tree libicu

  - Update to Chromium 30.0.1599.101

  - Security Fixes :

  + CVE-2013-2925: Use after free in XHR

  + CVE-2013-2926: Use after free in editing

  + CVE-2013-2927: Use after free in forms.

  + CVE-2013-2928: Various fixes from internal audits,     fuzzing and other initiatives.

  - Update to Chromium 30.0.1599.66

  - Easier searching by image 

  - A number of new apps/extension APIs 

  - Lots of under the hood changes for stability and     performance

  - Security fixes :

  + CVE-2013-2906: Races in Web Audio

  + CVE-2013-2907: Out of bounds read in Window.prototype     object

  + CVE-2013-2908: Address bar spoofing related to the     &ldquo;204 No Content&rdquo; status code

  + CVE-2013-2909: Use after free in inline-block rendering

  + CVE-2013-2910: Use-after-free in Web Audio

  + CVE-2013-2911: Use-after-free in XSLT

  + CVE-2013-2912: Use-after-free in PPAPI

  + CVE-2013-2913: Use-after-free in XML document parsing

  + CVE-2013-2914: Use after free in the Windows color     chooser dialog

  + CVE-2013-2915: Address bar spoofing via a malformed     scheme

  + CVE-2013-2916: Address bar spoofing related to the     &ldquo;204 No Content&rdquo; status code

  + CVE-2013-2917: Out of bounds read in Web Audio

  + CVE-2013-2918: Use-after-free in DOM

  + CVE-2013-2919: Memory corruption in V8

  + CVE-2013-2920: Out of bounds read in URL parsing

  + CVE-2013-2921: Use-after-free in resource loader

  + CVE-2013-2922: Use-after-free in template element

  + CVE-2013-2923: Various fixes from internal audits,     fuzzing and other initiatives 

  + CVE-2013-2924: Use-after-free in ICU. Upstream bug

- Update spec-file to fit the changes in V8 (addition of     internal ICU)

  - Building against system ICU

  - Regenerate Makefiles before using them

  - Update to 3.22.24.8

  - Security fixes (bcn#854473) :

  - CVE-2013-6638: Buffer overflow in v8

  - CVE-2013-6639: Out of bounds write in v8

  - CVE-2013-6640: Out of bounds read in v8

- Update to Chromium 31.0.1650.63 Stable channel update :

  - Security fixes :

  - CVE-2013-6634: Session fixation in sync related to 302     redirects

  - CVE-2013-6635: Use-after-free in editing

  - CVE-2013-6636: Address bar spoofing related to modal     dialogs

  - CVE-2013-6637: Various fixes from internal audits,     fuzzing and other initiatives.

  - CVE-2013-6638: Buffer overflow in v8

  - CVE-2013-6639: Out of bounds write in v8.

  - CVE-2013-6640: Out of bounds read in v8

  - and 12 other security fixes.

  - Remove the build flags to build according to the Chrome     ffmpeg branding and the proprietary codecs. (bnc#847971)

The remote host is affected by the vulnerability described in GLSA-201403-01 (Chromium, V8: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Chromium and V8. Please       review the CVE identifiers and release notes referenced below for       details.
  Impact :

    A context-dependent attacker could entice a user to open a specially       crafted website or JavaScript program using Chromium or V8, possibly       resulting in the execution of arbitrary code with the privileges of the       process or a Denial of Service condition. Furthermore, a remote attacker       may be able to bypass security restrictions or have other unspecified       impact.
  Workaround :

    There is no known workaround at this time.

This update resolves multiple security vulnerabilities in the V8 JavaScript just-in-time compiler.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2013-6634     Andrey Labunets discovered that the wrong URL was used     during validation in the one-click sign on helper.

  - CVE-2013-6635     cloudfuzzer discovered use-after-free issues in the     InsertHTML and Indent DOM editing commands.

  - CVE-2013-6636     Bas Venis discovered an address bar spoofing issue.

  - CVE-2013-6637     The chrome 31 development team discovered and fixed     multiple issues with potential security impact.

  - CVE-2013-6638     Jakob Kummerow of the Chromium project discovered a     buffer overflow in the v8 JavaScript library.

  - CVE-2013-6639     Jakob Kummerow of the Chromium project discovered an     out-of-bounds write in the v8 JavaScript library.

  - CVE-2013-6640     Jakob Kummerow of the Chromium project discovered an     out-of-bounds read in the v8 JavaScript library.

Google Chrome Releases reports :

15 security fixes in this release, including :

- [307159] Medium CVE-2013-6634: Session fixation in sync related to 302 redirects. Credit to Andrey Labunets.

- [314469] High CVE-2013-6635: Use-after-free in editing. Credit to cloudfuzzer.

- [322959] Medium CVE-2013-6636: Address bar spoofing related to modal dialogs. Credit to Bas Venis.

- [325501] CVE-2013-6637: Various fixes from internal audits, fuzzing and other initiatives.

- [319722] Medium CVE-2013-6638: Buffer overflow in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.

- [319835] High CVE-2013-6639: Out of bounds write in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.

- [319860] Medium CVE-2013-6640: Out of bounds read in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.

The remote host has Google Chrome browser installed. Versions of Google Chrome prior to 31.0.1650.63 are affected by multiple vulnerabilities, some of which include the following:

  - Use-after-free in editing (CVE-2013-6635)

  - Out-of-bounds read/write operations and a buffer overflow vulnerability in the Chrome v8 engine, which have been fixed in version 3.22.24.7, included in the updated version of Chrome (CVE-2013-6638, CVE-2013-6639, CVE-2013-6640)

  - Address bar spoofing that can be triggered via modal dialogs (CVE-2013-6636)

  - Session fixation attack via 302 redirects in one-click sign-in flow and gaia HTTP headers, which can allow a context-dependent attacker to hijack the user session. (CVE-2013-6634)

The version of Google Chrome installed on the remote Mac OS X host is a version prior to 31.0.1650.63.  It is, therefore, affected by the following vulnerabilities :

  - An error exists related to session fixation, the sync     process and HTTP 302 redirects. (CVE-2013-6634)

  - A use-after-free error exists related to the editing     process. (CVE-2013-6635)

  - An error exists related to modal dialogs that could     allow address spoofing. (CVE-2013-6636)

  - Various unspecified errors exist having unspecified     impacts. (CVE-2013-6637)

  - An out-of-bounds read error, an out-of-bounds write     error and a buffer overflow error exist in the v8     JavaScript engine. (CVE-2013-6638, CVE-2013-6639,     CVE-2013-6640)

The version of Google Chrome installed on the remote host is a version prior to 31.0.1650.63.  It is, therefore, affected by the following vulnerabilities :

  - An error exists related to session fixation, the sync     process and HTTP 302 redirects. (CVE-2013-6634)

  - A use-after-free error exists related to the editing     process. (CVE-2013-6635)

  - An error exists related to modal dialogs that could     allow address spoofing. (CVE-2013-6636)

  - Various unspecified errors exist having unspecified     impacts. (CVE-2013-6637)

  - An out-of-bounds read error, an out-of-bounds write     error and a buffer overflow error exist in the v8     JavaScript engine. (CVE-2013-6638, CVE-2013-6639,     CVE-2013-6640)

ID	Name	Product	Family	Severity
75393	openSUSE Security Update : v8 (openSUSE-SU-2014:0092-1)	Nessus	SuSE Local Security Checks	high
75366	openSUSE Security Update : chromium (openSUSE-SU-2014:0065-1)	Nessus	SuSE Local Security Checks	critical
74870	openSUSE Security Update : v8 (openSUSE-SU-2013:1962-1)	Nessus	SuSE Local Security Checks	high
74869	openSUSE Security Update : v8 (openSUSE-SU-2013:1960-1)	Nessus	SuSE Local Security Checks	high
74861	openSUSE Security Update : chromium (openSUSE-SU-2013:1933-1)	Nessus	SuSE Local Security Checks	high
74860	openSUSE Security Update : chromium (openSUSE-SU-2013:1927-1)	Nessus	SuSE Local Security Checks	high
72851	GLSA-201403-01 : Chromium, V8: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
71626	Fedora 19 : v8-3.14.5.10-3.fc19 (2013-23437)	Nessus	Fedora Local Security Checks	high
71624	Fedora 18 : v8-3.14.5.10-3.fc18 (2013-23401)	Nessus	Fedora Local Security Checks	high
71622	Fedora 20 : v8-3.14.5.10-3.fc20 (2013-23361)	Nessus	Fedora Local Security Checks	high
71254	Debian DSA-2811-1 : chromium-browser - several vulnerabilities	Nessus	Debian Local Security Checks	high
71238	FreeBSD : chromium -- multiple vulnerabilities (79356040-5da4-11e3-829e-00262d5ed8ee)	Nessus	FreeBSD Local Security Checks	high
801613	Google Chrome < 31.0.1650.63 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	medium
71228	Google Chrome < 31.0.1650.63 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
71227	Google Chrome < 31.0.1650.63 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2013-6640

medium

Tenable Plugins

high

critical

high

high

high

high

critical

high

high

high

high

high

medium

high

high